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This module should be read in conjunction with the Introduction and with the 
Glossary, which contains an explanation of abbreviations and other terms used 
in this Manual. If reading on-line, click on blue underlined headings to activate 
hyperlinks to the relevant module. 


Purpose 
To set out the HKMA’s supervisory approach to operational resilience 
and provide Als with guidance on the general principles which they are 
expected to consider when developing their operational resilience 
framework. 


Classification 
A non-statutory guideline issued by the MA as a guidance note. 


Previous guidelines superseded 
This is a new guideline. 


Application 
To all Als. 


Structure 

1. Definition of operational resilience 

2 Operational resilience framework 

3. Role of the Board and senior management 

4 Determining operational resilience parameters 
4.1 Identifying critical operations 
4.2 Setting tolerance for disruption 
4.3 Identifying severe but plausible scenarios 


5, Mapping interconnections and interdependencies underlying critical 
operations 

6. Preparing for and managing risks to critical operations delivery 

7. Testing ability to deliver critical operations under severe but 


plausible scenarios 
8. Responding to and recovering from incidents 
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9. Implementation of operational resilience requirements 
9.1 Application 
9.2 Timeline for implementation 
9.3 Supervisory approach 
1. Definition of operational resilience 


1.1 


1.2 


1.3 


Operational disruptions (including those due to pandemics, cyber 
incidents, technology failures and natural disasters) can affect the 
viability of individual financial institutions, and in turn, the stability of 
the wider financial system. This underscores the significance of 
operational resilience as a supervisory focus and has motivated 
many regulators around the world and standard setting bodies to 
issue guidance that aims to improve the operational resilience of 
financial institutions. 
The Principles for Operational Resilience (POR) issued by the Basel 
Committee on Banking Supervision (BCBS) in March 2021 defines 
operational resilience as the ability of a bank to deliver critical 
operations through disruption. This ability enables a bank to identify 
and protect itself from threats and potential failures, respond and 
adapt to, as well as recover and learn from disruptive events in order 
to minimise their impact on the delivery of critical operations through 
disruption. 

The HKMA expects all Als in Hong Kong to be operationally resilient. 

The HKMA will consider an Al to be operationally resilient if it is able 

to satisfy the following requirements: 

° Identify and mitigate risks that may threaten delivery of critical 
operations. In relation to an Al, “critical operations” refers 
to: (i) activities, processes and services performed by the Al, 
as well as (ii) the supporting assets (including people, 
technology, information and facilities) necessary for the 
delivery of such activities and services, which if disrupted, 
could pose material risks to the viability of the Al itself or 
impact the Al’s role within the Hong Kong financial system’. 


1 These should include any “critical financial functions”, as defined in the Code of Practice “Cl-1 
Resolution Planning — Core Information Requirements”, that may be performed by the Al. 
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° Continue to deliver critical operations when disruptions occur, 


including under severe but plausible scenarios. For this 
purpose, disruptions to an Al’s critical operations must not 


exceed its “tolerance for disruption”, which is defined as 
the maximum level of disruption to a critical operation that an 
Al can accept, and is in practice the point after which further 
disruption would pose risks to the viability of the Al or impact 
its role within the Hong Kong financial system. “Severe but 
plausible scenarios” refers to situations that would result in 
significant disruptions, and while unlikely to occur, remain 
probable. 

° Resume _normal operations in _a_timely manner _after 
disruptions occur; and 


° Absorb learnings _from _disruptions or near-misses to 
continually improve its ability to prevent, adapt to and recover 


from risks and disruptions to critical operations delivery. 


Operational resilience framework 


2.1 


2.2 


2.3 


An Al should develop an operational resilience framework which 

enables it to satisfy the requirements detailed in Section 1.3. 

Given the importance of operational resilience for an Al to operate 

smoothly and remain viable under extreme scenarios, an Al’s Board 

of Directors (Board) and senior management are expected to 
actively participate in establishing, implementing and overseeing the 
operational resilience framework. 

Ata minimum, an Al should include the following components within 

its operational resilience framework. Further guidance on how Als 

may approach each of these components is provided in the 
subsequent sections of this module. 

° Mechanism for determining the operational _resilience 
parameters, namely critical operations, tolerance for 
disruption and severe but plausible scenarios. (Section 4) 

° Mapping exercises which enable an Al to develop a detailed 
understanding of the interconnections and interdependencies 
that underlie critical operations delivery, and in turn, identify 
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what risks or events may affect or disrupt critical operations 
delivery. (Section 5) 

° Risk management policies_and frameworks that help an Al 
prepare for and manage the various risks to critical 
operations delivery in an integrated and holistic way. 
(Section 6) 

ə Scenario testing which enables an Al to regularly assess 
whether it is able to continue delivering critical operations 
through disruption, including under severe but plausible 
scenarios. (Section 7) 

° An incident management programme which allows an Al to 
effectively respond to and manage disruptions to critical 
operations delivery. (Section 8) 

2.4 An Al may determine the most appropriate approach to developing 


its operational resilience framework, taking into account its particular 
circumstances. Als may refer to Diagram 1 for an illustration of how 
the different components can be brought together to create a holistic 
operational resilience framework. It is important to note that 
developing operational resilience is an iterative process. The 
process will not always be linear. An Al should actively apply 
learnings from its implementation of the framework and the 
management of actual incidents to continually improve on the 
effectiveness of the framework. 
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Diagram 1: Step-by-step approach to developing a holistic operational 





resilience framework 






3. 





1. Determine operational resilience parameters, i.e. 
mt, 


“critical operations”, “tolerance for disruption”, and 
“severe but plausible scenarios” (Section 4) 


wr 





2. Map interconnections and interdependencies 
underlying critical operations delivery (Section 5) 


3. Prepare for and 3. Test ability to deliver 
manage risks to critical critical operations under 
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4. Respond to and recover from incidents (Section 8) , 
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Role of the Board and senior management 


3.1 


3.2 


The Board should be ultimately responsible for approving an Al’s 
operational resilience framework and for overseeing its 
implementation. When formulating the framework, the Board should 
take into consideration the Al’s risk appetite. For overseas 
incorporated Als, this role should rest with the management team at 
the head office or the regional headquarters overseeing the Hong 
Kong operations of the Al. 

Senior management should implement the operational resilience 
framework and ensure that sufficient resources (including financial, 
technological and otherwise) are allocated to this purpose. To 
facilitate the Board’s oversight, senior management should provide 
regular and timely reports to the Board on the ongoing operational 
resilience of the Al’s business units, particularly when significant 
deficiencies could affect the delivery of the Al’s critical operations. 






Develop holistic and 

Bso integrated approach to 
managing risks to critical 

operations delivery 





Continual refinement 
and enhancement of 
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3.3 


3.4 


3.5 


The Board and senior management should actively participate in the 
setting and review of an Al’s operational resilience parameters. 
Specifically: 

o The Board should approve and regularly review: (i) the 
criteria for determining an Als critical operations; and (ii) the 
actual list of critical operations. The reviews should be 
conducted no less than annually or when major operational 
changes occur. 

° The Board is responsible for setting the tolerance for 
disruption. Assisted by senior management, it should also 
review the tolerance for disruption at least on an annual basis 
or when major operational changes occur. 

° Senior management should identify and the Board should 
approve the severe but plausible scenarios which will be used 
to review whether an Al is operationally resilient. Both the 
Board and senior management should regularly review the 
continued relevance of the scenarios identified. 

The Board bears ultimate responsibility for ensuring that an Al 

remains operationally resilient. This would require the Board to take 

appropriate action to address any deficiencies identified in an Al’s 
ability to remain within its tolerance for disruption. In the event that 
there is more than one source of deficiency, the Board should 
suitably prioritise the remedial actions. As a general principle, the 

Board should place its focus on making improvements to those 

areas that would result in larger disruptions, higher risks or are 

facing more significant deficiencies. For instance, an Al should 
prioritise a critical operation that would more sooner breach its 

tolerance for disruption over one that is less time sensitive, or a 

critical operation that is further away from remaining within its 

tolerance for disruption over one that is largely within its tolerance 
for disruption. 

The Board and senior management should regularly review the 

suitability and effectiveness of the Al’s operational resilience 

framework. These reviews are particularly important following 
operational changes and during the transitory period after an 
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4. 


operational change comes into effect. 

3.6 The Board should play an active role in establishing a broad 
understanding of the Al’s operational resilience framework. It should 
clearly communicate the objectives of the framework to all relevant 
parties, including staff, intragroup entities and third parties. Regular 
training on the Al’s operational resilience framework should be 
provided to these parties to reinforce their understanding. 


Determining operational resilience parameters 
4.1 Identifying critical operations 


4.1.1 


As a first step to developing a sound operational resilience 

framework, an Al should identify its critical operations. The 

number of critical operations identified should be 
commensurate with the size, nature and complexity of the 

Al’s operations. 

When identifying its critical operations, an Al should take into 

consideration a set of defined criteria. These criteria should 

allow an Al to critically assess whether an operation, if 
disrupted, would affect: 

(a) TheAl’s viability. Possible factors to consider include 
the impact on customers and personnel, and financial, 
reputational, legal and regulatory implications. 

(b) The Al’s role in the Hong Kong financial system. 
Possible factors to consider include how disruptions 
may affect specific market roles played by the Al (e.g. 
note issuance or clearing) as well as relationships with 
counterparties in the interbank market. 

For the avoidance of doubt, while the set of criteria defined 

by Als for identifying critical operations should encompass 

elements of both (a) and (b) above, a given operation need 

not impact both (a) and (b) in order for it to be classified as a 

critical operation. 

In the process of identifying its critical operations, an Al may, 

where appropriate, leverage on relevant concepts covered 

within its recovery and resolution plans. 
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5. 


Setting tolerance for disruption 


A tolerance for disruption should be set for each critical 
operation. It should include at least a time-based metric, but 
may also include a combination of other quantitative (e.g. 
volume or value of transactions) and qualitative metrics (e.g. 
reputational or legal implications). 

In setting the tolerance for disruption, consideration should 
be given to an Al’s operational capabilities given a broad 
range of severe but plausible scenarios that would affect its 
critical operations. Als should be aware that their operational 
capabilities may vary during different business cycles or as a 
result of seasonal factors. For instance, during the periods of 
time when more initial public offerings are launched, an Al’s 
trading systems are more likely to come under stress, which 
could weaken the Al’s ability to respond under severe but 
plausible scenarios. 


Identifying severe but plausible scenarios 


4.2 
4.2.1 
4.2.2 
4.3 
4.3.1 
4.3.2 
Mapping 


Als should identify a range of scenarios of different nature, 
severity and duration relevant to its business and risk profile. 
Examples of scenarios that Als may consider include, but are 
not limited to, pandemics, natural disasters, and failures or 
disruptions at a third party or within the third party’s supply 
chain. 

When identifying the scenarios, Als should make reference 
to previous incidents or near misses within the institution or 
across financial sectors, as well as in other sectors or 
jurisdictions, or any situations that could result in significant 
disruptions given the changing operational landscape. 


interconnections and interdependencies 


underlying critical operations 

The appropriate functions within an Al should identify and 
document: (i) the people, processes, technology, information, 
facilities; and (ii) the interconnections and interdependencies among 
these factors that are necessary for the Al to deliver its critical 


5.1 
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5.2 


5.3 


5.4 


operations. When considering (ii), an Al should also include those 
interconnections and interdependencies that depend on third parties 
and intragroup arrangements. 

The approach and level of granularity of mapping should be 
sufficient to enable the Al to identify vulnerabilities and facilitate the 
testing of the Al’s ability to deliver critical operations through 
disruptions. Als should also consider whether the approach 
adopted for mapping under its operational resilience framework is 
appropriately harmonised with that adopted for recovery and 
resolution planning purposes. 

The mapping documentation should be prepared in a way that is 
proportionate to the Al’s size, scale and complexity. It should also 
be usable by all relevant parties in the event of disruptions. 

Als are expected to update their mapping documentation on a 
regular basis, but no less than annually or following any material 
changes to their operations. 


Preparing for and managing risks to critical operations 
delivery 


6.1 


6.2 


Als should be prepared to manage all risks with potential to affect 
critical operations delivery. As a given critical operation may face a 
number of risks, Als should leverage different risk management 
frameworks, as appropriate, to offer holistic and comprehensive 
support to the critical operation. 

The HKMA expects that Als should, at a minimum, take into 

consideration the following risk management components with 

respect to operational resilience:- 

° Operational __risk__management: As operational risk 
management focuses on preventing and minimising 
operational losses, it contributes to an Al’s efforts to maintain 
operational resilience. Operational risk management should 
therefore be considered as a crucial element of an effective 
operational resilience framework. 


° Business continuity planning and testing: Business continuity 
planning and testing supports an Al’s ability to prepare for and 
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recover from emergencies or disasters, and therefore 
contributes to an Al’s ability to continue delivering its critical 
operations through disruptions. Accordingly, Als should 
ensure that their critical operations are subject to appropriate 
business continuity planning and testing arrangements. 

° Third-party dependency management: As Als increasingly 
engage third parties or intragroup entities for the provision of 
services or delivery of functions, they must ensure that 
disruptions at these entities will not affect critical operations 
delivery. To ensure potential risks to critical operations are 
minimised, Als should manage their dependencies on third 
parties and intragroup entities as they would with outsourcing 
arrangements. Prior to entering into arrangements that 
support the delivery of critical operations, an Al should verify 
whether the relevant third parties or intragroup entities have 
at least equivalent level of operational resilience to that of the 
Al. During the course of engagement, an Al should have 
adequate arrangements in place to continually satisfy itself 
that the third party or intragroup entity has maintained an 
acceptable level of operational resilience. In addition, an Al 
should develop appropriate business continuity and 
contingency planning procedures and exit strategies to 
maintain its operational resilience in the event of a failure or 
disruption at a third party or intragroup entity which may 
impact its delivery of critical operations. An Al should not 
enter into, or continue, any third party or intragroup 
arrangements that may weaken the operational resilience of 
the Al’s critical operations. 

° Information and Communication Technolo ICT) includin 
cyber security: Growing technology adoption raises the 
likelihood that an Al’s critical operations may depend or may 
be affected by lapses in ICT risk management. To minimise 
risks in this regard, Als should have in place an ICT policy 
which covers cyber security, as well as arrangements for 
ensuring the confidentiality, integrity and availability of critical 


10 





HONG KONG MONETARY AUTHORITY 
AS YE Sz ith E BE Ja 





Supervisory Policy Manual 




















OR-2 Operational Resilience V.1 - Consultation 
information assets. 
6.3 Als should note that most of the risk management considerations 


associated with operational resilience are not new, and are already 
covered by existing HKMA guidance. These include but are not 
limited to: Supervisory Policy Manual (SPM) modules “TM-G-1 


General Principles for Technology Risk Management”, “TM-G-2 
Business Continuity Planning”, “OR-1 Operational Risk 
Management”, “SA-2 Outsourcing”, as well as “Cyber Resilience 
Assessment Framework 2.0”. Als should refer to and ensure that 
they are compliant with the supervisory requirements contained 


therein. 


Testing ability to deliver critical operations under severe 
but plausible scenarios 


7.1 


7.2 


Als should conduct regular testing of their operational resilience 

framework to ensure that they are able to continue delivering their 

critical operations through disruptions, including under severe but 
plausible scenarios. 

When considering the testing requirement, Als should take into 

account the following: 

° The testing exercises should include realistic assumptions, 
and should encompass the Aľs interconnections and 
interdependencies, including those through relationships with 
intragroup entities and third parties. 

° The frequency of testing should be determined based on a 
variety of factors, including the potential impact of a 
disruption, how many critical operations an Al has, and 
whether the operating environment has materially changed. 

° Different types of testing (e.g. paper-based, simulations or 
live-systems testing) serve different purposes and Als should 
deploy the most appropriate type of testing based on the 
nature or needs of the specific testing exercise. An Al should 
also consider and carefully manage the risks that may be 
introduced by the testing itself. 

° Als should deploy staff with appropriate expertise to conduct 
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7.3 


7.4 


the testing. The testing approach should dictate the type of 
staff involved, including their seniority, qualifications as well 
as the function (e.g. first, second or third line of defence) from 
which they are sourced. 

° Als should consider how they may leverage the testing 
exercises to enhance their staff's operational resilience 
awareness and readiness to operate during disruptions, 
thereby improving their ability to effectively adapt and 
respond to different types of disruptive events. 

Where practicable, Als may leverage on existing testing 
arrangements, including those devised for business continuity 
planning purposes, to fulfill the testing requirement relating to 
operational resilience. An Al should be able to demonstrate how an 
existing testing exercise enables it to achieve the specific objectives 
of scenario testing for operational resilience purposes. 

After each testing exercise, an Al should prepare a formal testing 

report to record any gaps or weaknesses identified, as well as 

document the remedial actions planned. The reports should be 
reviewed by the Al’s senior management. 


Responding to and recovering from incidents 


8.1 


8.2 


8.3 


While an Al should dedicate adequate efforts to preventing 
disruptions, it should recognise that disruptions will occur no matter 
how robust its operational resilience framework is. An Al should 
therefore be prepared to manage and recover from incidents. 
Specifically, an Al should establish an effective incident 
management programme to manage all incidents, especially those 
that may impact its critical operations. The programme should cover 
those incidents that may arise due to dependencies, including those 
on third parties and intragroup entities. 
The incident management programme should capture the full life- 
cycle of any incidents and involve: 
° Classification of an incident’s severity based on predefined 
criteria. This should enable the Al to prioritise and allocate 
resources to respond to an incident. 


12 
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9. 


8.4 


8.5 


° Incident response and recovery procedures. These should 
be reviewed, tested and updated on a regular basis. Their 
connection to the Al’s business continuity, disaster recovery 
and other associated management plans and procedures 
should also be clearly documented. 

° Communication plans for reporting incidents to both internal 
and external stakeholders. Communication should take 
place during the incident (e.g. to provide performance 
metrics), and after, including to convey analysis of lessons 
learned. 

° Root cause analysis of incidents to help with the prevention 
or minimisation of recurrence. 

The incident management programme should be supported by an 

inventory of internal and third party resources to enable prompt 

incident response and recovery. It should also reflect the lessons 
learned from previous incidents, including those experienced by 
others. 

Als should note that the above requirements complement existing 

HKMA guidance on incident management. These include but are 


not limited to SPM modules “TM-G-2 Business Continuity Planning” 
and “TM-G-1 General Principles for Technology Risk Management”, 


and the HKMA’s circular on “Incident Response and Management 
Procedures” issued in June 2010. Als should review relevant 
materials and ensure that they are compliant with the supervisory 
requirements contained therein. 


Implementation of operational resilience requirements 


9.1 


Application 

9.1.1 The requirements contained in this module apply to all Als. 
Locally incorporated Als should endeavour to implement the 
guidance of this module with respect to their subsidiaries and 
overseas operations, and for overseas incorporated Als with 
respect to their operations in Hong Kong. 

9.1.2 In line with the HKMA’s risk-based approach to supervision, 
Als are expected to implement the requirements in a 
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proportionate manner and develop an operational resilience 
framework that is “fit for purpose”, i.e. commensurate with its 
nature, size, complexity and risk profile. 


9.2 Timeline for implementation 


9.2.1 


9.2.2 


9.2.3 


By [1 year after the date upon which the final module is 
issued], the HKMA expects an Al to have: 
(a) Developed its operational resilience framework; and 
(b) Determined the timeline by which it will have 
implemented the operational resilience framework, 
and become operationally resilient. 
For the purposes of 9.2.1(a), Als are expected to have 
identified the operational resilience parameters and 
commenced a basic programme of mapping. The latter will 
be crucial to ensuring that an Al adequately understands the 
interconnections and interdependencies that underlie its 
critical operations, and in turn, is able to develop the other 
components of its operational resilience framework, including 
to identify the specific types of risks to critical operations 
delivery that need to be addressed, as well as how to most 
suitably conduct testing. The HKMA recognises that Als may 
not be able to produce mapping that reaches the full level of 
sophistication at the initial stage, and instead, would expect 
Als to make continual improvements as they obtain more 
experience in implementing their operational resilience 
frameworks. 
Given the importance of operational resilience, the HKMA 
expects Als to become operationally resilient as soon as 
practicable. That said, the HKMA also recognises that 
becoming operationally resilient is a resource-intensive 
exercise (for reasons including that it involves mapping 
exercises which may be more complex for larger Als, and 
could involve substantial system changes). Taking into 
consideration the need to accommodate Als of different size 
and complexity, the HKMA has decided to allow Als up to 2 
years to become operationally resilient. In other words, the 
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timeline specified under Section 9.2.1(b) should not extend 
beyond 2 years from [1 year after the date upon which the 
final module is issued.] After this point in time, an Al will be 
expected to have fully implemented its operational resilience 
framework, including to have conducted scenario testing, and 
be able to satisfy the requirements in Section 1.3. 
Notwithstanding the 2-year time limit, Als are encouraged to 
become operationally resilient as soon as their circumstances 
allow. The HKMA will engage in active discussions with Als 
to review the suitability of their proposed timelines. 


9.3 Supervisory approach 


9.3.1 


Following its risk-based supervisory approach, the HKMA will 
assess the effectiveness of the operational resilience 
frameworks of Als through a combination of risk-focused on- 
site examinations, off-site reviews and prudential meetings. 
Where needed, Als may be required to submit self- 
assessments of their ability to remain operationally resilient. 
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